mod_auth_kerb credential error for principal
Douglas E. Engert
deengert at anl.gov
Thu Mar 22 15:56:43 EDT 2007
A couple of things.
AD is case insenitive, but Kerberos is not.
the principal should have lowercase host name.
fix it now before it causes more problems.
kinit requires a principal as a parameter.
kinit -k \
-t /usr/local/apache2/conf/apache.keytab \
HTTP/linuxserver.domain.com at WEG.NET
Thae account name myuser, should relate tothe
principal name, aseach principal will need an account.
(MS called it a user account, it isnot a real user, it is
forthe service.)
Edson Habowsky wrote:
> Hello,
>
> I'm facing serious problem with Kerberos ticket
>
> I'm trying authenticate Windows users to the Linux apache webserver using Kerberos authenticate method, and for apache mod_auth_kerb.
>
> Having problems with keytab.
>
>
>
> Targeting domain controller: DCserver.domain.com
>
> Successfully mapped HTTP/LinuxServer.domain.com to myuser.
>
> Type the password for HTTP/LinuxServer.domain.com:
>
> Type the password again to confirm:
>
> Key created.
>
> Output keytab to c:\temp\apache.keytab:
>
> Keytab version: 0x502
>
> keysize 56 HTTP/LinuxServer.weg.net at WEG.NET ptype 1 (KRB5_NT_PRINCIPAL) vno 23 etyp
>
> e 0x3 (DES-CBC-MD5) keylength 8 (0x2f342c51891c1c68)
>
> Account myuser has been set for DES-only encryption.
>
>
>
>> I'm trying use this keytab at the linux apache server with
>
>> mod_auth_kerb; and if put the apache.keytab that was just created at windows side, into linux side, it
>
>> doesn't work. I got the error when I run the kinit command:
>
>
>> #kinit -k -t /usr/local/apache2/conf/apache.keytab
>
>> kinit(v5): Client not found in Kerberos database while getting initial
>
>> credentials
>
>
>
> If I run kinit myuser and put my passwd, it works fine, and after run this, if I run klist it bring me the cached ticket fine.
>
> Also, if I run kutil and check kvno into the keytab, it give me the right number (same as the one created at windows site through the ktpass).
>
>
>
>
>
>> May someone help me please,
>
>> I'm stuck on this, almost one week, and don't know what else to do.
>
>
>
> Edson Habowsky
> Departamento de Sistemas de Informação
> Sc Data Center - Tecnologia
> Analista de Infra - Servidores/Storage
> Fone: 55 (47) 3276 4619 - edsonh at weg.net <mailto:edsonh at weg.net>
> WEG Equipamentos Elétricos S.A. - Corporativo
> "TRANSFORMANDO ENERGIA EM SOLUÇÕES"
>
>
>
> ________________________________________________
> Kerberos mailing list Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
>
--
Douglas E. Engert <DEEngert at anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
More information about the Kerberos
mailing list